Systems and methods for managing and protecting electronic content and applications

ABSTRACT

Systems and methods are disclosed for managing and protecting electronic content and applications. Applications, content, and/or users can be given credentials by one or more credentialing authorities upon satisfaction of a set of requirements. Rights management software/hardware is used to attach and detect these credentials, and to enforce rules that indicate how content and applications may be used if certain credentials are present or absent. In one embodiment an application may condition access to a piece of electronic content upon the content&#39;s possession of a credential from a first entity, while the content may condition access upon the application&#39;s possession of a credential from a second entity and/or the user&#39;s possession of a credential from a third entity. Use of credentials in this manner enables a wide variety of relatively complex and flexible control arrangements to be put in place and enforced with relatively simple rights management technology.

RELATED APPLICATIONS

This is a continuation of application Ser. No. 12/728,098, filed Mar.19, 2010, which is a continuation of application Ser. No. 11/741,556,filed Apr. 27, 2007, now U.S. Pat. No. 7,694,342 issued Apr. 6, 2010,which is a continuation of application Ser. No. 09/879,743, filed Jun.11, 2001, now U.S. Pat. No. 7,213,266 issued May 1, 2007, which claimsthe benefit of U.S. Provisional Application No. 60/210,479, filed Jun.9, 2000, each of which are incorporated herein by reference.

COPYRIGHT AUTHORIZATION

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD OF THE INVENTION

The present invention relates generally to managing electronic content.More specifically, systems and methods are disclosed for governingelectronic content and applications through the use of electroniccredentials and certification procedures.

BACKGROUND OF THE INVENTION

With the advent of the Internet and the prevalent use of electronicsystems, increased attention has been paid to protecting the interestsof content owners and to ensuring that the integrity of electronictransactions is not compromised. These are difficult tasks, however, asthe differences between electronic systems and their physicalcounterparts can have a profound effect on the feasibility of suchprotections and the ease with which they can be implemented.

While increasing attention has been paid to the development of systemsthat address these problems, these systems often lack interoperabilitywith other such systems, are overly complex, and/or place an undulylarge burden on a relatively small number of entities to provide thebulk of the system's security and functionality.

Systems and methods are thus needed for providing content creators,application developers, consumers, and regulators with increased powerand flexibility to define and create efficient markets for the exchange,control, and protection of digital goods and for the performance ofelectronic transactions.

SUMMARY OF THE INVENTION

The present invention provides systems and methods for managingelectronic content, and for enabling content owners, regulators, andothers to create flexible controls for content and applications and tomanage their level of risk. It should be appreciated that the presentinvention can be implemented in numerous ways, including as a process,an apparatus, a system, a device, a method, a computer readable medium,or as a combination thereof. Several inventive embodiments are describedbelow.

A method for certifying the functionality of an application program isdisclosed. The method includes sending an issuer's credential to acertification service, the credential being associated with at least (i)a set of rules that govern the use of the credential and (ii) a set ofcertification requirements. The method further includes sending anapplication to the certification service and verifying that theapplication meets the certification requirements. If the applicationmeets the certification requirements, a credential is attached to theapplication in a manner designed to facilitate detection ofmodifications to the application that would affect the application'scompliance with the certification requirements. A digital rightsmanagement engine obtains content with an associated control thatindicates that the content is to be used only on applications thatinclude a certain credential. The digital content may also be associatedwith a credential that indicates that it meets certain criteria. When anapplication attempts to access the content, the digital rightsmanagement engine checks the application for the appropriate credential.If the credential is found, the digital rights management engine mayallow the content to be used by the application; otherwise, the digitalrights management engine denies access to the content. The applicationmay check the content for the content's credential, and refuse toprocess the content if the credential is not present or has beenrevoked.

In another embodiment, a method of controlling the use of electroniccontent and applications is disclosed. The method includes associating aplurality of credentials with an application, each credentialdemonstrating the application's compliance with a predefinedspecification. A piece of content is associated with a control set thatchecks applications for the presence of one or more credentials. Thecontrol set is operable to allow use of the content if the appropriatecredentials are detected. In one embodiment, pieces of electroniccontent are also associated with one or more credentials, and anapplication is associated with a control set that is operable to cause acheck to be made of the credentials held by a piece of electroniccontent. If the appropriate credentials are detected, then theapplication processes the electronic content.

These and other features and advantages of the present invention will bepresented in more detail in the following detailed description and theaccompanying figures which illustrate by way of example the principlesof the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be readily understood by the followingdetailed description in conjunction with the accompanying drawings,wherein like reference numerals designate like structural elements, andin which:

FIG. 1 illustrates a system for certifying and credentialingapplications in accordance with an embodiment of the present invention.

FIG. 2 illustrates the generation of an application credential.

FIGS. 3A and 3B illustrate the verification of an applicationcredential.

FIG. 4 illustrates a system for certifying and credentialingapplications in accordance with an embodiment of the present invention.

FIG. 5 illustrates an arrangement for managing electronic content inaccordance with an embodiment of the present invention.

FIG. 6 illustrates another arrangement for managing electronic contentand applications in accordance with an embodiment of the presentinvention.

FIG. 7 illustrates a system for managing the generation and use ofprescriptions in accordance with an embodiment of the present invention.

FIG. 8 illustrates credentials with multiple attributes.

FIG. 9 illustrates a computer system for practicing embodiments of thepresent invention.

DETAILED DESCRIPTION

A detailed description of the invention is provided below. While theinvention is described in conjunction with several embodiments, itshould be understood that the invention is not limited to any oneembodiment. On the contrary, the scope of the invention is limited onlyby the appended claims and encompasses numerous alternatives,modifications, and equivalents. In addition, while numerous specificdetails are set forth in the following description in order to provide athorough understanding of the present invention, the present inventionmay be practiced according to the claims without some or all of thesedetails. For the purpose of clarity, certain technical material that isknown in the art has not been described in detail in order to avoidobscuring the present invention. For example, reference will be made toa number of terms and concepts that are well-known in the field ofcryptography. Background information on cryptography can be found, forexample, in Menezes et al., Handbook of Applied Cryptography (CRC Press1996)(“Menezes”); and Schneier, Applied Cryptography, 2d ed. (John Wiley& Sons 1995).

The present invention provides systems and methods for enhancing theflexibility, efficiency, and interoperability of digital rightsmanagement systems. Specifically, in one embodiment systems and methodsare provided for enabling a wide range of disparate entities to certifyapplications, content, and/or users, and to provide applicationdevelopers, content packagers, users, regulatory bodies, and/or systemadministrators with a way to condition content access and/or use on thedetection of one or more credentials associated with the outcome of thecertification process. Thus, the systems and methods of the presentinvention can be used to reduce the burden placed on any givencertification service, since a single authority is not needed to performa full certification of all applications, content, users, and the like.The systems and methods of the present invention also enable theefficient and flexible association of precisely-tailored rules withcontent via the application-certification and user-certificationprocesses, thus enabling rights management systems to be implementedmore efficiently and/or compactly.

FIG. 1 illustrates a system for practicing an embodiment of the presentinvention. Referring to FIG. 1, a credential authority 102 defines a setof requirements 103 that applications must meet in order to receive theauthority's credential. Credential authority 102 may, for example,represent a content provider, an industry association of contentproviders, a governmental or regulatory body, a consumer protectionorganization, a network security firm, a digital rights managementprovider, or any other suitable entity with an interest in controllingcertain aspects of the use or exchange of electronic information.Requirements 103 may, for example, specify the way an application 107 issupposed to handle or present electronic content to user 108.

As shown in FIG. 1, in some embodiments credential authority 102supplies its certification requirements 103 to an application developer106 and a certification service 104. Application developer 106 createsan application 107 a that conforms to requirements 103 and provides itto certification service 104. Certification service analyzes and testsapplication 107 a to make sure that it meets the requirements 103specified by credential authority 102. An application 107 a thatsatisfies these requirements is given an appropriate credential orcertificate 105. Upon obtaining credential 105, the applicationdeveloper 106 may distribute the credentialed application 107 to anapplication user 108.

Credential authority 102 also issues a copy of its credential ID and/orrelated identification data (e.g., one of the credential authority'spublic keys, or a public key of the entity from which authorization mustultimately flow) to content and controls packager 110. Content andcontrols packager 110 takes the credential ID or related data and usesit to create controls that can be associated with the content provider'scontent, the controls being operable to trigger a test for thecredential before allowing certain uses of the content. In a preferredembodiment these controls can be updated and delivered remotely and/orindependently of the content. Additional information on the creation ofrules and controls and on the association of rules and controls withcontent can be found in commonly-assigned U.S. Pat. No. 5,892,900,entitled “Systems and Methods for Secure Transaction Management andElectronic Rights Protection,” issued Apr. 6, 1999 (“the '900 patent”),which is hereby incorporated by reference in its entirety.

When user 108 attempts to use application 107 to process content 114,the user's system checks application 107 for the presence of theappropriate credential 105. If the credential 105 is present, theapplication 107 may proceed with using content 114. If credential 105 isnot present, use of content 114 can be prohibited. Thus, when thecredential 105 of an authority 102 is securely associated with anapplication 107—and content 114 is associated with a rule requiringcredential 105 to be present as a condition of granting application 107access to the content—application users 108 and content providers 101can be confident, within the security bounds of the certificationprocess and/or the credential, that the application will operate inaccordance with the credential authority's requirements andspecifications.

It will be appreciated that there are numerous ways to implement thefunctionality illustrated in FIG. 1. For example, in some embodimentscontent and controls packager 110 may comprise one or more distinctentities which package content and/or provide rules and controls thatcan be associated with previously-packaged content. In other embodimentscredential authority 102 may perform the functions of content andcontrols packager 110 and/or certification service 104 itself, asindicated in FIG. 1 by dotted line 112. Similarly, in some embodiments acredential issuer/provider 109 is used to generate the appropriatecredentials, to affix these credentials to application 107 a, and toprovide identification information to packager 110 for use in creatingrules that identify these credentials. In other embodiments, thefunctionality of credential issuer 109 can be subsumed within that ofany suitable combination of one or more of the other entities shown inFIG. 1. For example, the content owner and/or credential authority maygenerate the appropriate credential and/or affix it to the applicationor content.

Well-known cryptographic techniques can be used to generate credentials105. For example, as shown in FIG. 2, in some embodiments credential 105is formed by applying a strong cryptographic hash algorithm (e.g.,SHA-1) 202 to the application 200 (or to selected portions thereof) toyield hash or message digest 204. Message digest 204 (and, in someembodiments, identification information 207) is encrypted (206) usingthe certification service's (or credential authority's) private key 208to yield credential or signature 210. One of ordinary skill in the artwill recognize that a number of variations could be made to the processshown in FIG. 2. For example, in some embodiments, a checksum of all orpart of the application could be used instead of, or in addition to, thehash or message digest 204. It will be appreciated that there are avariety of other techniques for generating a credential or certificatefor an application, and that for purposes of practicing the presentinvention any suitable technique can be used. For example, use could bemade of the techniques described in Menezes at pages 1-45 and 283-488,the '900 patent, commonly-assigned U.S. Pat. No. 6,157,721, entitled“Systems and Methods Using Cryptography to Protect Secure ComputingEnvironments,” issued Dec. 5, 2000 (“the '721 patent”),commonly-assigned U.S. patent application Ser. No. 09/628,692, entitled“Systems and Methods for Using Cryptography to Protect Secure andInsecure Computing Environments,” and commonly-assigned U.S. patentapplication Ser. No. 09/863,199, entitled “Trust Management Systems andMethods,” filed May 21, 2001, each of which is hereby incorporated byreference in its entirety. In other embodiments, the use of a specialcertificate or credential (it should be noted that, in general, thesetwo terms will be used interchangeably) could be dispensed with, andverification of the certification or authorization of an application,user, or content object could simply be inferred based on possession ofa cryptographic key (e.g., a private or secret key) and/or other secret(or not so secret) information.

In some embodiments the user's system 108 includes digital rightsmanagement hardware and/or software for managing protected content andfor enforcing the rules and controls associated therewith. For example,INTERRIGHTS POINT™ software or RIGHTS/SYSTEM™ software could be used, ascould the Rights Operating System software described in the '900 patentor other systems that implement some or all of the virtual distributionenvironment functionality described therein. Alternatively, otherdigital rights management hardware and/or software could be used. Use ofdigital rights management software/hardware may be helpful in situationswhere the user may not be trusted and/or where the user's system may bedeemed to be otherwise insufficiently secure or reliable. As explainedin the '900 patent, digital rights management software/hardware can beused to ensure the secure, confidential, and reliable performance ofimportant operations, such as enforcing the rules associated withcontent (e.g., making sure that a credential check is performed, andthat it is performed accurately).

In preferred embodiments, communications between the user 108 and thecontent provider 101 and/or content packager 110 are conducted viasecure containers (e.g., encrypted electronic files). For example,DIGIBOX® or DIGIFILE™ secure containers produced by IntertrustTechnologies Corporation of 955 Stewart Drive, Sunnyvale, Calif. couldbe used. When a user attempts to access content contained in a securecontainer, the user's application sends the content to the digitalrights management system which extracts the content and/or the rulesassociated with the content, evaluates the rules, and determines whetherthe application is allowed to access the content and on what termsaccess should occur. For example, the digital rights management systempreferably handles the credential-verification process described above,and releases content to a rendering application only if the appropriatecredential is found and verified.

By using the certificates in this manner, content owners are effectivelyable to condition the use of their content on certain characteristics ofthe content-rendering application without the necessity of explicitlyincluding the details of these requirements in the controls that aredirectly associated with the content. For example, if the content ownerwanted to ensure that the content was used in a very specific manner bya rendering application, this could be handled by a single certificate,rather than requiring the digital rights management system to bemodified or enhanced to allow these particular rules to be expressed,associated with the content item, interpreted by the digital rightsmanagement system, and carried out by the application (which wouldtypically need to be certified by the digital rights management providerto ensure that the application would behave in a manner that wasconsistent with the rules). Thus, the present invention can help reducethe complexity of digital rights management systems and the burdenplaced on the provider of the digital rights management system to ensureinteroperability with other applications.

FIG. 3A illustrates the steps a user's system might perform in order todetermine if a requested piece of content can be accessed. Referring toFIG. 3A, upon receiving a request to access a piece of content (322),the rendering application (and/or the operating system of the user'ssystem, via MIME type mapping) invokes the rights managementsoftware/hardware that is operable to decide whether to grant or denyaccess to the content (324). The rights management system will typicallybase its decision on rules associated with the content, renderingapplication, user, and/or system. As described in the '900 patent, theserules may, for example, be stored in a protected database or encryptedwith the content. The digital rights management hardware/softwaredetermines which, if any, rules are relevant to the user's request(326), and, if one of the rules indicates that a certain credential isrequired, the digital rights management system checks for thiscredential (328). For example, the digital rights management system mayexamine a predefined portion of the application, or may simply send theapplication a request for the credential. If the credential is verified,the digital rights management system releases the content for therequested use (336); otherwise, the request is denied (334).

FIG. 3B illustrates a method by which the user's system can determine ifa valid credential is associated with an application 300. Referring toFIG. 3B, the user's system (or the digital rights management systemoperating in connection therewith) retrieves a potential credential 302from the application. For example, the credential may have a predefinedname and may be stored in a predefined application module. If acredential with the appropriate name is not found in the predefinedlocation, use of the content and/or application is prevented. If acredential is found, the user's system verifies theintegrity/authenticity of the credential and/or the application. Forexample, if the credentialing process shown in FIG. 2 is used, theuser's system (and/or digital rights management system) decrypts thecredential 302 using the certification (or credentialing) authority'spublic key 308, yielding message digest 310. The user's system (ordigital rights management system) also applies hash function 304 to theappropriate portions of the application program 300 to yield messagedigest 306. Message digest 306 is then compared with message digest 310.If the two message digests are equal, the user's system can be confident(within the security bounds of the signature scheme) that application300 is the same as that certified by certification service 104, as anymodifications an attacker may have made to the application (or tocredential 302) would cause the comparison to fail. It will beappreciated that other suitable methods can be used for checking thecredential(s) 105 of an application 107, and that the appropriate methodwill typically follow from that used to generate the credential bycertification service 104.

FIG. 4 shows a system in which multiple credentialing authorities 402work independently to certify an application 407 to their ownspecifications, and to provide application 407 with their owncredentials 405. As shown in FIG. 4, several credential authorities 402a, 402 b, 402 c might contract with the same certification service 404 ato certify an application on their behalf. Alternatively, a credentialauthority 402 n may elect to contract with its own certification service404 b. As yet another option, certain credential authorities 402 x mayelect to perform the certification process themselves.

Similarly, multiple credential authorities 402 a, 402 n may arrange withthe same packager 410 b to prepare content and/or controls on theirbehalf. Alternatively, credentialing authorities 402 a may arrange withtheir own dedicated content and/or controls packager 410 a, or mayperform these functions themselves (402 x). Thus, content owners canchoose to condition an application program's access to content on theapplication program's possession of a suitable combination ofcredentials, the credentials originating from a variety of credentialauthorities and/or certification services and attesting to theapplication's compliance with the authorities' specifications andrequirements.

It can thus be seen that the systems and methods of the presentinvention enable a variety of certification and control arrangements tobe put in place with relative ease. The controls that are associatedwith a particular piece of content can simply check for the presence ofan entity's certification, and need not specify the very specific mannerin which the content is to be, e.g., displayed or used, since thisbehavior is assured by the certification process. Such an approach alsoenables the certification process to be distributed and/or delegatedacross multiple, independently-responsible entities, thus obviating theneed for a central entity to take each industry group's certificationrequirements, certify applications in accordance therewith, and standbehind the accuracy of the certification process. By allowingcertification to be delegated, it is possible to obtain certificationsmore rapidly, to enable parties to certify applications themselves withwhatever level of rigor they choose, and to allow the risk of impropercertification to be borne by more than one party. Delegation anddistribution of certification authority may also help create a market ofcertification providers, thus allowing content providers and credentialauthorities to benefit from efficiencies of scale, specializedcertification experience, and market competition.

Delegation and decentralization of the certification/credentialingprocess also facilitates the creation of certain flexible models forsharing information. With a centralized system it may be infeasible orinefficient to express the very specific and idiosyncratic sorts ofcontrols on, e.g., content presentation and manipulation that certainindustry groups, content creators, governmental or regulatory bodies, orother organizations may want to specify in connection with the use ofcertain content.

For example, a pharmaceutical company might wish to require that contentonly be accessed by applications that display prescriptions in a certainfont size. A music company might wish to require any device that allowsaccess to the music company's content to display the music company'slogo in a predefined manner. Given the wide variety of industries, andgroups within each industry, each of whom might have its own specificrules regarding the use of certain content; it may be difficult for asingle entity to certify that a variety of different applications meetthe requirements specified by each industry group, and to provide thecontrols necessary for content providers to take advantage of thosefeatures. The systems and methods of the present invention avoid thisproblem by enabling application-specific content handling behavior to becontrolled by a credential check, and by providing a decentralizedmechanism for content owners or credentialing authorities to ensure, viathe certification process—with whatever level of rigor is desired—thatthe presence of a valid credential can be relied upon as an effectiveassurance that content will be handled in the desired manner.

It will thus be appreciated that there are a variety of ways toadvantageously apply the systems and methods of the present invention.Several exemplary applications are provided below for purposes of moreclearly illustrating various aspects of the present invention.

As shown in FIG. 5, in one embodiment credentialed applications arenested (or chained), such that one credentialed application is used toeffectively control the use of content by other credentialedapplications or devices. Referring to FIG. 5, a digital rightsmanagement system 500 is shown that contains an electronic content file514 in its protected storage (or otherwise under its control—e.g.,stored in unprotected storage but encrypted with a protected key). Thefile is packaged using the encoding format 512 of the digital rightsmanagement system 500, which may associate various rules and controlswith the content to govern its use. One such control specifies that foran application 502 to gain access to content 514, the application mustpossess a predefined credential 520. Similarly, application 502 isoperable to transmit a copy of content 514 to portable device 504 onlyif portable device 504 can produce a valid credential 522 (whichapplication 502 may verify itself or pass to digital rights managementsystem 500 for secure verification, as indicated by dotted line 530).Credentials 520 and 522 can be provided to application 502 and/orportable device 504 (e.g., stored in a predefined memory location) byappropriate credentialing authorities in the manner illustrated in FIGS.1 and 4. For example, the issuance of a credential 520 to application502 may be conditioned on a demonstration by application 502 that it canhandle interactions with portable devices in an appropriate manner(e.g., certification of the application may be dependent on theapplication demonstrating that it will check the certification status ofa portable device before transmitting protected content or keys to theportable device). Thus, digital rights management system 500 acts as thegatekeeper or root in a chain of interlocking credential checks. Anarbitrary number of digital rights management systems, applications,and/or devices can be interlocked in this manner. If application 502'scredential is revoked, application 502 may no longer be able to accessencoded content 514 and pass it to portable device 504. Revocation canbe accomplished by issuing credentials that expire, or simply by sendingan updated control to digital rights management system 500 thateffectively revokes recognition of the credential held by application502.

It should be noted that the nesting properties described above are notlimited to application programs and portable devices, but can also beapplied to virtually any program, device, process, or entity. Forexample, in one embodiment multiple digital rights management systemscan be chained in the manner described above. Such a process can befacilitated using the techniques described in commonly-assigned patentapplication Ser. No. 09/874,744, entitled “Systems and Methods forGoverning Content Rendering, Protection, and Management Applications,”filed Jun. 4, 2001, which is hereby incorporated by reference in itsentirety.

In another exemplary embodiment, the digital rights management hardwareand/or software on the user's system is operable to independently checkconnecting applications and devices for one or more credentials. Thatis, the digital rights management system may verify that an applicationmeets certain requirements, regardless of whether the content ownerpackaged its content in a way that requested such a check to beperformed. For example, in one preferred embodiment, applications arecertified by the digital rights management provider to ensure thatinteroperable applications provide a basic level of trusted operationwith respect to such fundamental content manipulation processes ascopying, saving, moving, printing, and the like. The user's digitalrights management software/hardware automatically checks for this basiccertification when it is requested to send content to an application.Additional layers of certification—for example, industry-specificcontent presentation requirements—are only checked if the contentpackager explicitly asks for such checks to be performed. In otherembodiments, such as in an enterprise setting, the user's digital rightsmanagement software/hardware may automatically check for a larger, morerestrictive set of credentials, such as enterprise-specific credentialsrelated to the types of operations that are authorized within theenterprise and/or by particular users within the enterprise. It willthus be appreciated that system architects and/or regulators (e.g.,governments, industry groups, etc.) can set a certain baseline ofcredentials that must be present regardless of whether the contentowners/packagers using the system specifically ask for such credentialsto be present.

Alternatively, or in addition, in some embodiments credentials areissued to content packaging applications and securely associated withthe packaged content. The user's digital rights management system and/orapplication software can check for the presence of the credential as aprecondition for rendering the content. This type of credential wouldthus give system architects and/or application developers a level ofcontrol over the type of content used in their system or with theirapplications. For example, a school district, parents association, orregulatory body may wish to only allow use of educational content fromcertain pre-approved sources. The school district could issue acredential to those pre-approved sources which would be packaged withthe content. The user's digital rights management software would checkfor the presence of the credential before sending the content to anapproved application. If such an “approval” credential were to fall intothe wrong hands, or if the credential owner failed to abide by theschool's policies regarding what constitutes appropriate content, thecredential could simply be revoked. A related example would be ahospital or pharmacy's requirement that all prescriptions received onits system originate from a properly-credentialed physician.

Moreover, content could be packaged in such a manner that it includesits own credential, while at the same time containing controls requiringchecks to be performed for certain application credentials as aprecondition for its use. Thus, the content's credential could be usedby a system architect to screen unwanted content, while theapplication's credential could be used by the content owner to preventuse of the content on uncertified applications or devices.

In another exemplary embodiment, a credential might be used to certifythat an application verifies (or purposely does not verify) the identityof its operator in a predefined fashion. Credentials could also beassigned to individual operators and/or systems upon the production ofsuitable identification, thus facilitating the secure transfer ofcontent between particular credentialed users. User identification canbe accomplished using digital certificates or credentials, or in anyother suitable manner. For example, the user might establish his or heridentity by using a password to log into the rights management systemand/or the system on which the rights management system is installed.Once the identity of a user has been validated, this information can beused to control the transfer and/or packaging of content, access toapplications, or any other suitable set of operations.

In some embodiments the credentials themselves may be interdependent.For example, one industry group may require as part of its certificationprocedure that an application first be credentialed by another industrygroup. If at any time the other industry group's credential were toexpire or be revoked, any credentials that were effectively dependent onthat credential would also cease to be valid.

In some embodiments, the rules associated with a piece of content mayalso contain instructions that can be passed to properly-credentialedapplications. The credentialed applications would be operable toretrieve the instructions and use them to process the protected contentin an appropriate manner. The digital rights management system thatverified the presence and authenticity of the application credentialneed not be able to understand the instructions itself. This provides away for one general-purpose digital rights management system to providesecurity and interoperability with other, application-specific digitalrights management systems.

FIG. 6 illustrates the use of credentials in accordance with embodimentsof the present invention. Referring to FIG. 6, a user 612 uses arendering application 614 to access content 604. Content 604 is securelypackaged and associated with rules 601, 602 that govern how the contentcan be used. As shown in FIG. 6, rule 601 indicates that the user mayaccess content object 604 if the user has purchased the rights to do so.Rule 602 indicates that in order for a rendering application to accesscontent object 604, the rendering application must have been certifiedby an entity “ABC”. For example, if content object 604 comprises amovie, song, book, or the like, entity ABC might represent the content'sauthor, owner, or an industry association of content owners, and thecertificate 616 specified by rule 602 may signify that renderingapplication 614 has been designed to operate in a manner that willsafeguard the content owner's interests (e.g., by preventing copies ofthe decrypted content to be made.). Content object 604 is preferablyprotected (e.g., encrypted) such that rights management engine 610controls access to it. For example, content object 604 might beencrypted using an encryption key held by the rights management enginein secure storage.

As shown in FIG. 6, content object 604 may also have a certificate 606associated with it, the certificate indicating that another entity(“XYZ”) has approved or otherwise certified content 606 as havingcertain predefined characteristics. For example, as previouslydescribed, if content object 604 comprises educational material, XYZmight be a regulatory authority responsible for evaluating thesuitability of content 604 for a certain audience. Or, if content object604 represented a prescription, certificate 606 may indicate thatcontent object 604 originated from an approved source (e.g., a licensedphysician or a certified packaging program).

As shown in FIG. 6, when a user 612 requests access to content 604 via arendering application 614, the request is routed to the rightsmanagement engine 610. Rights management engine 610 detects theassociation between rules 601, 602 and content object 604, and evaluateswhether the conditions specified by the rules have been satisfied. Inthe example shown in FIG. 6, the condition specified by rule 602 hasbeen met, since rendering application 614 has a certificate 616indicating that it has been approved by entity ABC.

Having determined that the rules 602 governing access to content 604have been satisfied, rights management engine 610 may release content604 to rendering application 614 (e.g., by decrypting it).Alternatively, digital rights management engine 610 may be programmed bythe system operator (e.g., the school district, pharmacy, or otherentity upon which the rendering application is loaded) to firstdetermine whether the rendering application possesses yet anothercertificate 618, this certificate attesting to the application'sconformance with another set of functional requirements specified byanother entity (e.g., the school district, pharmacy, system operator,etc.). For example, it may be desirable to certify that application 614will check content 604 for the appropriate certificate 606 beforepresenting the content to the user 612. Since the content owner may notcare about this requirement, content 604 may not have been packaged witha rule indicating that such a check needs to be performed. Thus, toensure that such a check is performed, system administrator might sendan additional rule to the rights management engine 610 indicating thatthis check needs to be performed (i.e., that content 604 must have acertificate 606 indicating that content 604 has been approved by XYZ).It will be appreciated that this can be accomplished in any of a varietyof ways. For example, a rule 607 could be delivered to rights managementengine 610 indicating that only content that has a certificate 606 maybe released to a rendering application 614. Alternatively, or inaddition, a rule 620 can be delivered to rights management engine 610,the rule indicating that in order for a rendering application 614 toreceive decrypted content, it must be certified by XYZ, certification byXYZ signifying that the application was designed to check for acertificate 606 before releasing content 604 to user 612 (e.g., bysending rule 607 to rights management engine 610). As yet anotherexample, the system administrator could simply contract with theapplication developer to provide rendering applications that check forcertificate 606, and only install such rendering applications on thesystem.

Thus, it will be appreciated that a number of modifications andvariations can be made to the illustrative embodiment shown in FIG. 6without departing from the present invention. For example, as shown inFIG. 6, in some embodiments, user 612 may be required to login to therights management engine 610 (e.g., using a password, smartcard,biometric identification technique, or the like) and/or the system orsystems on which rights management engine 610 and/or renderingapplication 614 are loaded. Moreover, in some embodiments, rules 602might also have credentials attesting to their origin and/or approval byone or more entities, and applications 610, 614 may be operable to checkfor such credentials before applying these rules.

It should be appreciated that the system and relationships shown in FIG.6 can be implemented in any suitable fashion. For example, renderingapplication 614, rights management engine 610, and content 604 may allbe stored on the same system (e.g., in the memory of a personalcomputer), or may be distributed between multiple systems (e.g., rightsmanagement engine 610 and/or content 604 might be located on a systemthat is remote from the system on which rendering application 614 isrunning). Moreover, as shown in FIG. 6, content object 604, rules 602,and certificates 606 may be packaged together in a secure electroniccontainer 608 that is accessible to the rights management engine 610.Alternatively, some or all of these objects may be packaged and/ordelivered separately.

It should also be appreciated that while embodiments can advantageouslybe used in an environment in which each user's system includesrelatively sophisticated digital rights management software for managingcontent in accordance with a variety of rules and controls, the systemsand methods of the present invention can also be advantageously appliedto environments in which the rights management software on the user'ssystems is relatively simple, and is operable to do little more thancheck for the presence of specified credentials. In such embodiments,while the foundational enforcement of the content owner's wishes canstill be thought to reside in the user's rights managementsoftware—since it is responsible for checking applications for therequisite credentials and certifications and conditioning access to thecontent on the results of that process—the responsibility for thecomplex array of possible uses by the application is effectivelyenforced by the content owner and/or credentialing authority through thecertification process (and the renewal, expiration, and/or revocation ofcredentials). Thus, while the rights management provider may be reliedupon to provide a certain baseline of trust and security (with varyingdegrees of security and/or reliability, depending on itsimplementation), the complex interplay between application developers,content owners, and credential authorities can be delegated anddecentralized, thus enabling faster adoption and modification ofbusiness arrangements between the potentially numerous parties involved,and more flexible, diverse, and narrowly-tailored content usage controlsand requirements. Note however, that in some embodiments, a separatedigital rights management system need not be used. Instead, the rightsmanagement functionality could simply be implemented directly by theapplication or a module thereof.

FIG. 7 illustrates the application of rights management techniques, suchas those described above, to secure the functions/events related toprescribing medicine. In particular, FIG. 7 illustrates a system thatenables prescriptions to be electronically generated and filled in asecure fashion.

As shown in FIG. 7, physicians 702 write prescriptions 704 usingapplication programs 707, and transmit the prescriptions (or otherwisemake the prescriptions available) to pharmacists 706 (e.g., via network727). Pharmacists 706 fill the prescriptions and provide the prescribedmedication to patients 708. Patients 708 and/or their insurers are thenbilled for the medication.

As shown in FIG. 7, rights management techniques can be used to controlthe integrity and efficiency of this process. For example, if it weredesired to allow only a licensed physician to write prescriptions (orcertain types of prescriptions), the prescription packaging application707 could require physicians 702 to first present a valid credential 703issued by a medical licensing authority 710, the credential identifyingthe physician as being licensed to issue prescriptions. The applicationmay also require the physician 702 to login using a password, smartcard,or biometric information, and may also generate audit records regardingthe physician's activities.

In addition, the packaging application 707 may itself be certified bythe medical licensing authority 710. For example, the medical licensingauthority 710 could codify its requirements for ensuring that onlylicensed physicians write (package) prescriptions, and provide theserequirements to a certification agent, as described above in connectionwith FIG. 1. The prescription packaging application 707 would then becertified against these specifications. For example, the application 707may receive certification 705 only if it is designed to check for thecredentials of users/physicians in an appropriate manner. Prescriptionsthat are not generated by a certified application 707 could beidentified and rejected by the other entities shown in FIG. 7, sincesuch prescriptions may not have been generated by a licensed physician,or might be otherwise defective.

As shown in FIG. 7, a similar process can be used to ensure that only alicensed pharmacist 706 is able to fill a prescription. Licensedpharmacists 706 receive credentials 713 from a licensing authority 712.The pharmacist's application 714 and/or the digital rights managementfunctionality incorporated therein, may also require users to log inusing a password or other identification technique. Alternatively, or inaddition, the pharmacist licensing authority could codify itsrequirements for prescription rendering application 714 and providethese requirements to a certification agent. The certification agentwould issue credentials 717 to prescription rendering applications 714that satisfied these requirements. Thus, to ensure that prescriptionsare only accessed by licensed pharmacists, prescription packagingapplications 707 could package prescriptions 704 in protected form, withan associated rule that required the detection of an appropriatecredential or credentials (e.g., the credential of a licensed pharmacistand/or of an application that had been certified to detect such acredential) before allowing access to the prescription data.

Other entities may also wish to impose certain constraints on thephysician and/or pharmacist. For example, an insurer 720 may wish toensure that physicians prescribe generic medicine when it is as good asa brand name drug. In addition, the insurer or a governmental entity mayalso wish to ensure that any medicine that is prescribed does notconflict with previous prescriptions. To effectuate such control, thepackaging application could be required to possess a certificate 721from the insurer or its agents that confirmed that the packagingapplication had been designed in a manner that ensured that thesefunctions would be performed (the functions themselves could beperformed in any manner deemed suitable by the certifying authority).The system administrator could check for this credential (which wouldnot necessarily need to be in electronic form) as a condition toinstalling the application on the system, and/or prescriptions packagedusing such applications could indicate the certification status of thepackaging application, thus allowing other system participants (e.g.,pharmacists 706) to check for the presence of this credential as acondition of accepting a prescription.

It will thus be appreciated that any suitable combination ofcertificates can used to ensure that the system operates in the desiredmanner and that the rights and interests of the system participants areprotected. For example, an insurer might certify the pharmacist'sapplication only if it provides billing information in a particularmanner, and pharmacists could be prevented from accessing prescriptionsfor a patient covered by the subject insurer without having thecredential present that indicates the insurer or its delegated agent hascertified the application. Similarly, the Federal government or aconsumer watchdog group may issue certificates to applications thathandle medical records in conformance with certain privacy requirements.In short, the present invention provides a flexible mechanism formanaging the packaging and use of electronic data in a wide variety ofways and in accordance with the requirements and interests of a widevariety of disparate institutions. While several examples have beengiven in the context of medical or educational content, and content suchas songs, movies, books and reports, one of skill in the art willrecognize that these are but a few illustrative examples of the generalapplicability of the concepts presented herein.

As previously indicated, the credentials associated with an applicationcan take a variety of forms and can be issued from any of a variety ofentities. In some embodiments a credential may simply comprise a digitalsignature or other indication that an entity has generally approved theapplication, and/or confirmed that the application functions in acertain manner. In other embodiments, the credential may contain moredetailed information, such as information regarding the level ofsecurity the application possesses, or other information that can beused to make decisions regarding the content the application is allowedto access and/or the operations the application is allowed to perform.

As described above, one way for content owners and/or applicationdevelopers to control the risk that their property will be stolen ormisused is by associating special rules with their content and/orapplications. These rules can be used by a digital rights managementsystem and/or rendering application to test for various attributes ofthe systems and/or applications upon which the content and/orapplications are used. For example, rules associated with content and/orapplications can be used to check for credentials that identify systemcharacteristics such as:

Digital Rights Management System Attributes and Capabilities. Theattributes and capabilities of the client-side digital rights managementsystem can themselves be checked. For example, content use may bepreconditioned on the existence of certain capabilities or protectionmechanisms. The presence or absence of these capabilities could beprovided in an credential stored by the digital rights managementsystem, or could be obtained from the digital rights management systemin some other fashion. For example attributes such as the followingcould be checked:

(a) Level of Tamper Resistance. The content provider may check whetherthe digital rights management system uses dedicated hardware tamperresistance (e.g., a secure processing unit); a mixture of hardware andsoftware tamper resistance; or software tamper resistance only.

(b) Digital Rights Management Version. The content provider may onlywish to allow access on a specific version of the digital rightsmanagement system.

(c) Operating System. The content provider may wish to allow onlycertain types of access on certain operating systems (e.g., Windows,Macintosh, Linux, etc.) or versions of operating systems (e.g., Windows95, Windows 98, Windows NT, Windows 2000, Windows XP).

User Attributes. The content owner may also wish to check certainattributes or credentials associated with the user. For example, userauthentication can be accomplished by creating a token during activationor as a result of subsequent interactions with the digital rightmanagement system's deployment manager and/or clearinghouseinfrastructure. This token and its associated attributes (if any) can bechecked by the client digital rights management software. For example,the tokens may be associated with some or all of the followingattributes:

(a) Physical confirmation of identity

(b) Validated Name, Email, Address

(c) Unvalidated Name & Email

(d) Anonymous

Application/Module Credential Attributes. Attributes of the applicationsused to render or process the content can also be checked. For example,some or all of the following types of attributes could be associatedwith an application, and included in control sets associated with thecontent:

(a) ID Attribute. Allows a control to check for a specific applicationor module ID. This can be used to restrict access to only certainapplications, modules, or components.

(b) “Certified By” Attribute. Indicates who has certified the componentfor proper behavior and architecture. For example, this attribute mayindicate that the application or module was certified by the provider ofthe trust management engine, or that the application or module wasself-certified by the application or module developer.

(c) Content Exposure Attribute. Indicates the level of exposure withinthe module to unauthorized content use. The level of exposure will bedirectly related to the module's architecture and use of scripting,plug-ins, and so forth. Values for this attribute (set by, e.g., thedigital rights management provider) might include:

(i) Minimal Exposure. No obvious attacks exist; only obscure attacksrequiring sophisticated programming skills Dependent module credentialsare fully checked.

(ii) Moderate Exposure. Known attacks exist, but require someprogramming skills Dependent modules may be checked. An example would bean application based on the COM architecture.

(iii) High Exposure. Known attacks exist, and are easily mounted usingavailable tools and utilities and requiring little or no programmingskills Dependent modules are typically not checked. An example would bean application with non-trusted scripting or add-in capabilities.

(d) Output Driver Attribute. Indicates whether the module checks outputdrivers for integrity (valid credential or signature). For example, thisattribute might indicate that:

(i) Module implements a direct check of output driver credentials.

(ii) Module implements an indirect check of output driver integrity.

(iii) Module does not check output drivers.

(e) Output Device Attribute. Indicates whether the module checks outputdevices for integrity. For example, this attribute might indicate that:

(i) Module implements direct check of output device.

(ii) Module implement indirect check of output device.

(iii) Module does not check output devices.

FIG. 8 shows several credentials 802, 812 that include the attributesdescribed above. Referring to FIG. 8, credential 802 illustrates acredential with multiple attributes that can be associated with thedigital rights management application on a user's system. Credential 802contains the digital signature 804 of its issuer (thus attesting to theauthenticity of the credential and protecting against undetectedmodification), as well as fields that specify certain attributes of thelocal digital rights management system, such as its tamper resistance(806) and the platform on which it is installed (808). Credential 802may also contain specify a variety of other attributes. Similarly,credential 812 illustrates a credential that might be associated with acontent-rendering application. As shown in FIG. 8, credential 812 mightinclude an attribute that indicates the level of content exposureassociated with the application (814), an indication of whether theapplication checks output drivers for integrity (816), and the like. Itshould be appreciated that there are a wide variety of ways to implementthe functionality described above. For example, the attributes shown inFIG. 8 as part of a single credential could, instead, be distributedacross multiple credentials and/or additional attributes could be addedto each credential.

When a digital rights management system obtains a piece of content thatrequires that certain ones of these attributes be satisfied, it canretrieve credential 804, verify its signature, and check the values ofthe appropriate attributes to see if the conditions are satisfied, inwhich case the desired use of the content can be allowed.

The provider of the digital rights management system (or other secureclient software), may issue a credential to applications certified bythe provider as meeting certain security requirements. A lesser level of“certification” may be provided to applications that are merely capableof operating in connection with the secure processing software, butabout which the provider makes no representations as to security. Thesedifferent levels of certification could be represented by differentcredentials assigned to the application, or by different attributesspecified in a single credential.

As described elsewhere herein, specific industries or associations mayelect to define attributes or certificates to indicate that theapplication meets the required industry or association requirements forcapability, security, privacy, etc. These attributes may also be checkedby controls to ensure that content is only accessible to approvedapplications. For example, a national medical association may wish todefine an attribute that indicates that an application meets theassociation's guidelines for handling of patient medical data. Asanother example, a privacy certification provider may wish to define anattribute that indicates the application meets its guidelines.

This approach implies the existence of more than one agency involved insetting credential attributes based on their own independent testing.Each agency would be responsible for securely adding the agency'sattribute to an existing credential. In one embodiment, the applicationwriter would submit the application to one agency for certification, andthen take the application and the credential from the first agency toother agencies for additional certification.

Since there are many reasons a user may not be able to access a specificpiece of content with a given application, the application should becapable of displaying a reasonable message to the user that describeswhy they can't access the content. For example, if an application doesnot support the format or version of the requested content, a messagesuch as “This application does not support the requested data type (mimetype)” could be displayed. If the control requires a membership cardwhich does not exist, has expired, etc., an error message such as “Novalid controls/offers exist for this content. Contact <control providername>” could be provided. Similarly, if the control requires applicationcredential attributes that are not set, a message such as “Thisapplication is not authorized for this content. Contact <applicationprovider>” could be displayed. As yet another example, if a user doesnot have the required authentication level, a message such as “Youraccount is not authorized for this content. Contact <authenticationlevel provider>” could be displayed.

FIG. 9 shows an example of a computer system 900 that can be used topractice embodiments of the present invention. Computer system 900 maycomprise a general-purpose computing device such as a personal computeror network server, or a specialized computing device such as a cellulartelephone, personal digital assistant, portable audio or video player,television set-top box, kiosk, or the like. Computing device 900 willtypically include a processor 902, memory 904, a user interface 906, aport 907 for accepting removable memory 908, a network interface 910,and a bus 912 for connecting the aforementioned elements. The operationof computing device 900 will typically be controlled by processor 902operating under the guidance of programs stored in memory 904. Memory904 will generally include both high-speed random-access memory (RAM)and non-volatile memory such as a magnetic disk and/or flash EEPROM.Some portions of memory 904 may be restricted, such that they cannot beread from or written to by other components of the computing device 900.Port 907 may comprise a disk drive or memory slot for acceptingcomputer-readable media such as floppy diskettes, CD-ROMs, DVDs, memorycards, other magnetic or optical media, or the like. Network interface910 is typically operable to provide a connection between computingdevice 900 and other computing devices (and/or networks of computingdevices) via a network 920 such as the Internet or an intranet (e.g., aLAN, WAN, VPN, etc.). In some embodiments, computing device 900 includesa secure processing unit 903 such as that described in the '900 patent.A secure processing unit can help enhance the security of sensitiveoperations such as key management, signature verification, and otheraspects of the rights management process.

As shown in FIG. 9, memory 904 of computing device 900 may include avariety of programs or modules for controlling the operation ofcomputing device 900. For example, memory 904 will typically include oneor more content rendering applications 930 (such as document editors orviewers, electronic book readers, video players, music players,electronic mail or messaging programs, or the like) for presentingelectronic content to users of the system. In some embodiments, one ormore of the rendering applications 930 may also be capable of applyingpolicies, rules, and/or controls to govern the use of content or theperformance of events. Alternatively, or in addition, these policies,rules, and/or controls may be applied by a rights management program 929such as that described above and/or in the '900 patent. Memory 904 mayalso include a program—such as that described in U.S. patent applicationSer. No. 09/617,148, entitled “Trusted Storage Systems and Methods”,filed Jul. 17, 2000, which is hereby incorporated by reference—formaintaining a database of protected data, such as cryptographic keys,certificates, or the like. In addition, memory 904 will typicallycontain one or more pieces of protected content 934.

One of ordinary skill in the art will appreciate that the systems andmethods of the present invention can be practiced with computing devicessimilar or identical to that illustrated in FIG. 9, or with virtuallyany other suitable computing device, including computing devices that donot possess some of the components shown in FIG. 9 and/or computingdevices that possess other components that are not shown. Thus it shouldbe appreciated that FIG. 9 is provided for purposes of illustration andnot limitation as to the scope of the invention.

Although the foregoing invention has been described in some detail forpurposes of clarity, it will be apparent that certain changes andmodifications may be practiced within the scope of the appended claims.It should be noted that there are many alternative ways of implementingboth the processes and apparatuses of the present invention.Accordingly, the present embodiments are to be considered asillustrative and not restrictive, and the invention is not to be limitedto the details given herein, but may be modified within the scope andequivalents of the appended claims.

What is claimed is:
 1. A method for managing the use of protectedelectronic content by a rights management application executing on acomputing device, the method comprising: receiving, from a firstapplication executing on the computing device, by a second applicationexecuting on the computing device, a request to use the protectedelectronic content and a first credential associated with the firstapplication; receiving, from the second application executing on thecomputing device by the rights management application, the request touse the protected content and a second credential associated with thesecond application; validating, by the rights management application,the second credential; sending, by the rights management applicationbased on validating the second credential, the protected electroniccontent to the second application; validating, by the secondapplication, the first credential; and sending, by the secondapplication based on validating the first credential, the protectedelectronic content to the first application for use in accordance withthe request.
 2. The method of claim 1, wherein the first credentialcomprises a credential issued by a credentialing authority based on thecredentialing authority validating that the first application meets apredefined level of security.
 3. The method of claim 1, wherein thesecond credential comprises a credential issued by a credentialingauthority based on the credentialing authority validating that thesecond application meets a predefined level of security.
 4. The methodof claim 1, wherein the request to use the protected electronic contentcomprises a request to render the protected electronic content.
 5. Themethod of claim 1, wherein the request to use the protected electroniccontent comprises a request to receive a copy of the protectedelectronic content.
 6. The method of claim 1, wherein the protectedelectronic content comprises electronic content stored in a protectedstorage managed by the rights management application.
 7. The method ofclaim 1, wherein the protected electronic content comprises electroniccontent stored in unprotected storage encrypted with a protected key. 8.The method of claim 1, wherein the protected electronic content isassociated with at least one control governing use of the protectedelectronic content.
 9. The method of claim 8, wherein the at least onecontrol requires possession of the first credential prior to allowinguse of the protected electronic content.
 10. The method of claim 9,wherein the at least one control is securely associated with theprotected electronic content.
 11. A non-transitory computer-readablestorage medium storing instructions that, when executing by a processorof a computing system, are configured to cause the processor to:receive, from a first application executing on the computing system by asecond application executing on the computing system, a request to use apiece of electronic content managed by a rights management applicationexecuting on the computing system and first credential associated withthe first application; receive, from the second application executing onthe computing device by the rights management application, the requestto use the protected content and a second credential associated with thesecond application; validate, by the rights management application, thesecond credential; send, by the rights management application based onvalidating the second credential, the protected electronic content tothe second application; validate, by the second application, the firstcredential; and send, by the second application based on validating thefirst credential, the protected electronic content to the firstapplication for use in accordance with the request.
 12. Thenon-transitory computer-readable storage medium of claim 11, wherein thefirst credential comprises a credential issued by a credentialingauthority based on the credentialing authority validating that the firstapplication meets a predefined level of security.
 13. The non-transitorycomputer-readable storage medium of claim 11, wherein the secondcredential comprises a credential issued by a credentialing authoritybased on the credentialing authority validating that the secondapplication meets a predefined level of security.
 14. The non-transitorycomputer-readable storage medium of claim 11, wherein the request to usethe protected electronic content comprises a request to render theprotected electronic content.
 15. The non-transitory computer-readablestorage medium of claim 11, wherein the request to use the protectedelectronic content comprises a request to receive a copy of theprotected electronic content.
 16. The non-transitory computer-readablestorage medium of claim 11, wherein the protected electronic contentcomprises electronic content stored in a protected storage managed bythe rights management application.
 17. The non-transitorycomputer-readable storage medium of claim 11, wherein the protectedelectronic content comprises electronic content stored in unprotectedstorage encrypted with a protected key.
 18. The non-transitorycomputer-readable storage medium of claim 11, wherein the protectedelectronic content is associated with at least one control governing useof the protected electronic content.
 19. The non-transitorycomputer-readable storage medium of claim 18, wherein the at least onecontrol requires possession of the first credential prior to allowinguse of the protected electronic content.
 20. The non-transitorycomputer-readable storage medium of claim 19, wherein the at least onecontrol is securely associated with the protected electronic content.